View source
<?php
namespace Drupal\Tests\simple_oauth_extras\Functional;
use Drupal\Component\Serialization\Json;
use Drupal\Core\Url;
use Drupal\simple_oauth\Entity\Oauth2Client;
use Drupal\Tests\BrowserTestBase;
use Drupal\Tests\simple_oauth\Functional\RequestHelperTrait;
use Drupal\user\Entity\Role;
class RolesNegotiationFunctionalTest extends BrowserTestBase {
use RequestHelperTrait;
public static $modules = [
'image',
'simple_oauth',
'simple_oauth_extras',
'text',
'user',
];
protected $url;
protected $tokenTestUrl;
protected $client;
protected $user;
protected $httpClient;
protected $privateKeyPath;
protected $publicKeyPath;
protected $clientSecret;
public function setUp() {
parent::setUp();
$this->htmlOutputEnabled = FALSE;
$this->tokenTestUrl = Url::fromRoute('oauth2_token.user_debug');
$this->url = Url::fromRoute('oauth2_token.token');
$this->user = $this
->drupalCreateUser();
$this->httpClient = $this->container
->get('http_client_factory')
->fromOptions([
'base_uri' => $this->baseUrl,
]);
$this->clientSecret = $this
->getRandomGenerator()
->string();
$role = Role::create([
'id' => 'foo',
'label' => 'Foo',
'is_admin' => FALSE,
]);
$role
->grantPermission('view own simple_oauth entities');
$role
->save();
$role = Role::create([
'id' => 'bar',
'label' => 'Bar',
'is_admin' => FALSE,
]);
$role
->grantPermission('administer simple_oauth entities');
$role
->save();
$role = Role::create([
'id' => 'oof',
'label' => 'Oof',
'is_admin' => FALSE,
]);
$role
->grantPermission('delete own simple_oauth entities');
$role
->save();
$this->user
->addRole('foo');
$this->user
->addRole('bar');
$this->user
->save();
$this->client = Oauth2Client::create([
'owner_id' => 1,
'user_id' => $this->user
->id(),
'label' => $this
->getRandomGenerator()
->name(),
'secret' => $this->clientSecret,
'confidential' => TRUE,
'roles' => [
[
'target_id' => 'oof',
],
],
]);
$this->client
->save();
$path = $this->container
->get('module_handler')
->getModule('simple_oauth')
->getPath();
$temp_dir = sys_get_temp_dir();
$public_path = '/' . $path . '/tests/certificates/public.key';
$private_path = '/' . $path . '/tests/certificates/private.key';
file_put_contents($temp_dir . '/public.key', file_get_contents(DRUPAL_ROOT . $public_path));
file_put_contents($temp_dir . '/private.key', file_get_contents(DRUPAL_ROOT . $private_path));
chmod($temp_dir . '/public.key', 0660);
chmod($temp_dir . '/private.key', 0660);
$this->publicKeyPath = $temp_dir . '/public.key';
$this->privateKeyPath = $temp_dir . '/private.key';
$settings = $this
->config('simple_oauth.settings');
$settings
->set('public_key', $this->publicKeyPath);
$settings
->set('private_key', $this->privateKeyPath);
$settings
->save();
}
public function testRequestWithRoleRemovedFromUser() {
$access_token = $this
->getAccessToken([
'foo',
'bar',
]);
$response = $this
->request('GET', $this->tokenTestUrl, [
'query' => [
'_format' => 'json',
],
'headers' => [
'Authorization' => 'Bearer ' . $access_token,
],
]);
$parsed_response = Json::decode($response
->getBody()
->getContents());
$this
->assertEquals($this->user
->id(), $parsed_response['id']);
$this
->assertEquals([
'foo',
'bar',
'authenticated',
'oof',
], $parsed_response['roles']);
$this
->assertTrue($parsed_response['permissions']['view own simple_oauth entities']['access']);
$this
->assertTrue($parsed_response['permissions']['administer simple_oauth entities']['access']);
$this->user
->removeRole('bar');
$this->user
->save();
$response = $this
->request('GET', $this->tokenTestUrl, [
'query' => [
'_format' => 'json',
],
'headers' => [
'Authorization' => 'Bearer ' . $access_token,
],
]);
$parsed_response = Json::decode($response
->getBody()
->getContents());
$this
->assertEquals(0, $parsed_response['id']);
$this
->assertEquals([
'anonymous',
], $parsed_response['roles']);
$this
->assertFalse($parsed_response['permissions']['view own simple_oauth entities']['access']);
$this
->assertFalse($parsed_response['permissions']['administer simple_oauth entities']['access']);
$access_token = $this
->getAccessToken([
'foo',
'bar',
]);
$response = $this
->request('GET', $this->tokenTestUrl, [
'query' => [
'_format' => 'json',
],
'headers' => [
'Authorization' => 'Bearer ' . $access_token,
],
]);
$parsed_response = Json::decode($response
->getBody()
->getContents());
$this
->assertEquals($this->user
->id(), $parsed_response['id']);
$this
->assertEquals([
'foo',
'authenticated',
'oof',
], $parsed_response['roles']);
$this
->assertTrue($parsed_response['permissions']['view own simple_oauth entities']['access']);
$this
->assertFalse($parsed_response['permissions']['administer simple_oauth entities']['access']);
}
public function testRequestWithRoleRemovedFromClient() {
$access_token = $this
->getAccessToken([
'oof',
]);
$response = $this
->request('GET', $this->tokenTestUrl, [
'query' => [
'_format' => 'json',
],
'headers' => [
'Authorization' => 'Bearer ' . $access_token,
],
]);
$parsed_response = Json::decode($response
->getBody()
->getContents());
$this
->assertEquals($this->user
->id(), $parsed_response['id']);
$this
->assertEquals([
'authenticated',
'oof',
], $parsed_response['roles']);
$this
->assertTrue($parsed_response['permissions']['delete own simple_oauth entities']['access']);
$this->client
->set('roles', []);
$this->client
->save();
$response = $this
->request('GET', $this->tokenTestUrl, [
'query' => [
'_format' => 'json',
],
'headers' => [
'Authorization' => 'Bearer ' . $access_token,
],
]);
$parsed_response = Json::decode($response
->getBody()
->getContents());
$this
->assertEquals(0, $parsed_response['id']);
$this
->assertEquals([
'anonymous',
], $parsed_response['roles']);
$this
->assertFalse($parsed_response['permissions']['view own simple_oauth entities']['access']);
$access_token = $this
->getAccessToken([
'oof',
]);
$response = $this
->request('GET', $this->tokenTestUrl, [
'query' => [
'_format' => 'json',
],
'headers' => [
'Authorization' => 'Bearer ' . $access_token,
],
]);
$parsed_response = Json::decode($response
->getBody()
->getContents());
$this
->assertEquals($this->user
->id(), $parsed_response['id']);
$this
->assertEquals([
'authenticated',
], $parsed_response['roles']);
$this
->assertFalse($parsed_response['permissions']['delete own simple_oauth entities']['access']);
}
public function testRequestWithMissingScope() {
$access_token = $this
->getAccessToken();
$response = $this
->request('GET', $this->tokenTestUrl, [
'query' => [
'_format' => 'json',
],
'headers' => [
'Authorization' => 'Bearer ' . $access_token,
],
]);
$parsed_response = Json::decode($response
->getBody()
->getContents());
$this
->assertEquals($this->user
->id(), $parsed_response['id']);
$this
->assertEquals([
'authenticated',
'oof',
], $parsed_response['roles']);
$this
->assertFalse($parsed_response['permissions']['view own simple_oauth entities']['access']);
}
private function getAccessToken(array $scopes = []) {
$valid_payload = [
'grant_type' => 'client_credentials',
'client_id' => $this->client
->uuid(),
'client_secret' => $this->clientSecret,
];
if (!empty($scopes)) {
$valid_payload['scope'] = implode(' ', $scopes);
}
$response = $this
->request('POST', $this->url, [
'form_params' => $valid_payload,
]);
$parsed_response = Json::decode($response
->getBody()
->getContents());
return $parsed_response['access_token'];
}
}